CFAA Timeline

This website contains a timeline of failed, passed, and in discussion amendments of the CFAA. The timeline can be view in 2d or 3d by clicking on the little circle in the bottom left hand corner of the page.

Categories;xNLx;Red events = H.R. Introduced;xNLx;Blue event = Passed House;xNLx;Green events = Became Law;xNLx;Orange events = S. Introduced;xNLx;Yellow events = Passed Senate;xNLx;Purple events = Resolving Differences

S.1607 - Violent Crime Control and Law Enforcement Act of 1993

Introduced by Sen. Biden, Joseph R., Jr. [D-DE] on 11/01/1993 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program or code that alters the information stored in a computer with the intent to damage the system or information contained within the affected computer or system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. Makes it a misdemeanor to recklessly transmit a destructive computer program or code. Creates a civil cause of action for persons suffering damage or loss by virtue of a violation of this Act. Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that "adversely" affect such use.

H.R. 3355 - Computer Abuse Amendments Act of 1994

Introduced by Rep. Brooks, Jack B. [D-TX-9] on 10/26/1993 Status: Became law on 09/13/1994 Until 1994, the CFAA was the main federal computer crime statute. Under the original CFAA, only criminal penalties - specifically, fines and imprisonment - were available, but the Computer Abuse Amendments Act of 1994 (“CAAA”) added civil remedies such as compensatory damages and equitable or injunctive relief. The amendments also extended protection to incorporate damage or loss inflicted not only by outsiders, but also insiders or other authorized users, and further classified certain types of reckless conduct and intentional acts as criminal. Congress also amended the CFAA so that it protected any “computer used in interstate commerce or communication” rather than a “federal interest computer.” Congress’s purpose for the change was to include certain non-government computers that Congress believed warranted federal protection. While the CFAA pre–1994 was directed toward the unauthorized access of a computer system, the post–1994 statute broadened the prescribed range of conduct to include transmissions. The focus became the defendant's harmful intent and resulting harm, rather than on the technical concept of computer access and authorization, with the option for civil remedy. Scope: ●Amends the Computer Fraud and Abuse Act to make it a felony to knowingly transmit an unauthorized program, code, or command with intent to damage a computer system or information contained within a computer system, or to withhold or deny the use of such system or information, if the transmission: (1) occurred without the authorization of the person responsible for the computer system receiving the program; and (2) causes damage exceeding $1,000 in any one-year period or modifies or impairs the medical care of one or more individuals. ●Makes it a misdemeanor to recklessly transmit a destructive computer program, code, or command. ●Creates a civil cause of action for persons suffering damage or loss by virtue of a violation of this Act. ●Modifies the prohibition against accessing a Government computer where such conduct affects the use of the Government's operation of such computer to cover only actions that "adversely" affect such use.

S.3414 - Cybersecurity Act of 2012 or the CSA2012

Introduced by Sen. Lieberman, Joseph I. [ID-CT] on 7/19/2012 Status: Failed Summary: ●Defines a ""cybersecurity crime"" as violation of a state or federal law relating to computer crimes, including any provision of the federal criminal code enacted or amended by the Computer Fraud and Abuse Act of 1986. ●Establishes a National Cybersecurity Council, to be chaired by the Secretary of Homeland Security (DHS) (the Secretary), to: (1) conduct sector-by-sector risk assessments; (2) identify categories of critical cyber infrastructure (CCI categories); (3) coordinate the adoption of private-sector recommended voluntary outcome-based cybersecurity practices; (4) establish an incentives-based voluntary cybersecurity program for critical infrastructure to encourage owners of critical infrastructure to adopt such practices; (5) develop procedures to inform critical infrastructure owners and operators of cyber threats, vulnerabilities, and consequences; and (6) provide any technical guidance or assistance requested by owners and operators. ●Directs the Council to designate an agency to: (1) conduct top-level cybersecurity assessments of cyber risks to critical infrastructure with voluntary participation from private sector entities; and (2) prioritize ongoing, sector-by-sector assessments beginning with sectors posing the greatest immediate risk. ●Requires the Council to submit each risk assessment to the President and appropriate federal agencies and congressional committees. ●Directs the Council to: (1) identify CCI categories within each sector of critical infrastructure and critical infrastructure owners within each category, and (2) establish a procedure for owners of critical cyber infrastructure to challenge the identification. ●Directs the Council to identify CCI categories as a critical cyber infrastructures only if damage or unauthorized access could reasonably result in: (1) the interruption of life-sustaining services (including energy, water, transportation, emergency services, or food) sufficient to cause a mass casualty event or mass evacuations; (2) catastrophic economic damage to the United States, including financial markets, transportation systems, or other systemic, long-term damage; or (3) severe degradation of national security. ●Requires the Council to establish procedures under which owners of critical cyber infrastructure shall report significant cyber incidents affecting critical cyber infrastructure. ●Provides for congressional review of critical cyber infrastructure determinations. ●Requires private sector coordinating councils (PSCC) within critical infrastructure sectors established by the National Infrastructure Protection Plan to propose cybersecurity practices to the Council. Directs the Council to adopt: (1) any proposed practices and any necessary amended or additional practices that adequately address identified cyber risks, and (2) practices pursuant to the Council's own assessment if a PSCC fails to submit proposals. ●Permits federal agencies with responsibilities for regulating the security of critical infrastructure to adopt such practices as mandatory requirements. Requires agencies that do not adopt the practices to report to Congress on the agency's reasoning, including a description of whether the agency is maintaining practices sufficient to effectively address cyber risks. ●Directs the Council to establish the Voluntary Cybersecurity Program for Critical Infrastructure under which owners of critical infrastructure certified to participate in the Program select and implement cybersecurity measures of their choosing that satisfy such cybersecurity practices in exchange for: (1) liability protection from punitive damages; (2) expedited security clearances; and (3) prioritized technical assistance, real-time cyber threat information, and public recognition. ●Prohibits any of the above provisions relating to the critical infrastructure public-private partnership from limiting the ability of a federal agency with responsibilities for regulating the security of critical infrastructure from requiring that the cybersecurity practices adopted by the Council be met. ●Directs the Secretary to establish a Critical Infrastructure Cyber Security Tip Line. ●Requires the Secretary to: (1) inform the owner or operator of information infrastructure located outside the United States the disruption of which could result in catastrophic damage within the United States and the government of the country in which the information infrastructure is located of any cyber risks to such information infrastructure; and (2) coordinate with such governments and owners or operators regarding the implementation of measures to mitigate or remediate cyber risks. ●Amends the federal Information Security Management Act of 2002 (FISMA) to direct the Secretary to oversee the information security requirements of federal agencies. (Currently, the Director of the Office of Management and Budget [OMB] has such oversight authority and has administratively transferred certain responsibilities to DHS through an OMB memorandum.) Revises information security requirements for federal agencies and provides for continuous monitoring and streamlined reporting of cybersecurity risks. ●Maintains: (1) the President's oversight over national security systems; and (2) the delegation of authority to the Department of Defense (DOD), Central Intelligence Agency (CIA), and Director of National Intelligence (DNI) for specified defense and intelligence systems. ●Amends the Homeland Security Act of 2002 to consolidate existing DHS resources for cybersecurity within a National Center for Cybersecurity and Communications. Sets forth the duties of the Center, including managing efforts to secure, protect, and ensure the resiliency of the federal information infrastructure, supporting private sector efforts to protect such infrastructure, prioritizing efforts to address the most significant risks to the information infrastructure, and ensuring privacy protections. ●Requires the Center to be headed by a Director (appointed by the President with Senate confirmation) who reports to the Secretary. Directs the DNI to identify a Deputy Director with concurrence of the Secretary. ●Directs the Center to: (1) oversee the national security and emergency preparedness communications infrastructure, including the Office of Emergency Communications and the National Communications System; (2) develop a national incident response plan detailing the roles of federal agencies, state and local governments, and the private sector; and (3) consult with international partners. ● ●Requires the Center to establish procedures to: (1) ensure regular and timely sharing of cybersecurity information between and among federal and nonfederal entities, including cybersecurity centers, network and security operations centers, cybersecurity exchanges, and nonfederal entities responsible for such systems; and (2) share cybersecurity threat and vulnerability information by the federal government with owners and operators of the national information infrastructure. ●Prohibits federal entities from: (1) using certain voluntarily submitted information as evidence in regulatory enforcement actions; or (2) unless otherwise authorized by law, compelling a disclosure of information from a private entity or intercepting wire, oral, or electronic communications. ●Requires federal agencies, unless otherwise directed by the President, to immediately notify the Center of any incident affecting a national security system. ●Directs the Director of the Office of Science and Technology Policy to develop a national cybersecurity research and development plan to encourage the development of computer technologies and software to protect against evolving cyberthreats. ●Requires the National Science Foundation (NSF), Secretary, and Secretary of Commerce to establish a program for federal agencies to award grants to institutions of higher education or research and development nonprofit institutions to establish cybersecurity test beds capable of realistic modeling of real-time cyber attacks and defenses. ●Directs the NSF to establish cybersecurity research centers based at institutions of higher education and other entities. ●Requires the DHS and DOD to jointly establish academic and professional Centers of Excellence to protect critical infrastructure in conjunction with international academic and professional partners from countries that may include appropriate U.S. allies. ●Directs the NSF to establish a federal Cyber Scholarship-for-Service program. ●Directs the Secretary to develop and update periodically an acquisition risk management strategy including procedures to: (1) assess risks to the federal information infrastructure supply chain, (2) incorporate internationally recognized standards with input from the private sector, and (3) share threat information with the private sector. ●Amends federal information technology procurement laws to provide information security training to contracting officers and promote the acquisition of information security products through authorized channels or distributors of a supplier. ●Sets forth the responsibilities of the Department of State with respect to the coordination of international norms for cyberspace to be developed with other countries and the consideration of cybercrime in foreign policy and foreign assistance programs. ●Authorizes private entities to monitor and operate countermeasures to protect against cybersecurity threats on their own information systems and the information systems of a third party with such party's express prior consent. ●Permits private entities to disclose lawfully obtained cybersecurity threat indicators to other private entities for the sole purpose of protecting information systems. Sets forth requirements for safeguarding information that could be used to identify specific persons and prohibits the use of such information to gain an unfair competitive advantage. ●Directs the Secretary to establish a process for: (1) designating one or more civilian federal entities, private entities, or nonfederal government entities to serve as cybersecurity exchanges; and (2) sharing classified and unclassified cybersecurity threat indicators in as close to real time as possible with appropriate entities. ●Requires the Secretary to designate a civilian federal entity as the lead cybersecurity exchange for information sharing among federal entities and with state, local, tribal, and territorial governments, international partners, and private entities. ●Authorizes federal entities to disclose cybersecurity threat indicators to law enforcement if: (1) disclosure is permitted under procedures developed by the Secretary and approved by the Attorney General (DOJ) to protect privacy and civil liberties; and (2) the information pertains to a cybersecurity crime, an imminent threat of death or serious bodily harm, or a serious threat to minors, including sexual exploitation and threats to physical safety. ●Allows law enforcement to use such indicators only to: (1) protect information systems from a cybersecurity threat or investigate, prosecute, or disrupt a cybersecurity crime; or (2) protect individuals from imminent threats of death or serious bodily harm and minors from serious threats. Sentencing: ●Directs federal entities to develop and enforce appropriate sanctions for employees who conduct cybersecurity information activities outside the normal course of duties or in a manner inconsistent with their responsibilities or in contravention of procedures to protect privacy and civil liberties. ●Establishes a cause of action against the United States if a federal entity intentionally or willfully violates cybersecurity information laws or related regulations.

S.1196 - Aaron's Law Act of 2013

Introduced by Sen. Wyden, Ron [D-OR] on 6/20/2013 Status: Failed Definitions: ●Amends provisions of the Computer Fraud and Abuse Act (CFAA) prohibiting computer fraud to replace the phrase "exceeds authorized access" with "access without authorization," which is defined as obtaining information on a protected computer that the accesser lacks authorization to obtain by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information. Sentencing: ●Modifies CFAA penalty provisions to: (1) limit the imposition of enhanced penalties to subsequent offenses under such Act (currently, additional penalties are allowed if there is a conviction for another offense) and to criminal acts punishable under federal or state law by a term of imprisonment for more than one year; and (2) require the determination of the value of information for enhanced penalty purposes to be made by reference to fair market value.

S.1984 - Credit Card Theft Sentencing Act of 2014

Introduced by Sen. Kirk, Mark Steven [R-IL] on 2/3/2014 Status: Failed Sentencing: ●Amends the Computer Fraud and Abuse Act to set penalties of a fine, imprisonment for at least 25 years or for life, or both for intentionally accessing a computer without authorization or exceeding authorized access and thereby obtaining information of 1 million or more credit card holders contained in a financial record of a financial institution or a card issuer, contained in a file of a consumer reporting agency on a consumer, from any federal agency, or from any protected computer.

S.1030 - Aaron's Law Act of 2015

Introduced by Sen. Wyden, Ron [D-OR] on 4/21/2015 Status: In Progress Definitions: Amends provisions of the Computer Fraud and Abuse Act (CFAA) prohibiting computer fraud to replace the phrase "exceeds authorized access" with "access without authorization," which is defined as obtaining information on a protected computer that the accesser lacks authorization to obtain by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information. Sentencing: Modifies CFAA penalty provisions to: (1) limit the imposition of enhanced penalties to subsequent offenses under such Act (currently, additional penalties are allowed if there is a conviction for another offense) and to criminal acts punishable under federal or state law by a term of imprisonment for more than one year; and (2) require the determination of the value of information for enhanced penalty purposes to be made by reference to fair market value.

S.3342 - Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 or SECURE IT Act of 2012

Introduced by Sen. McCain, John [R-AZ] on 6/27/2012 Status: Failed Summary: ●Amends the Computer Fraud and Abuse Act to increase and further delineate the criminal penalties for computer fraud and related activities. Sentencing: ●Establishes an offense for aggravated damage to a public or private critical infrastructure computer that manages or controls systems or assets vital to national defense, national security, national economic security, or public health or safety.

S.2451 - A bill to increase criminal penalties for computer crimes, establish a National Commission on Cybersecurity, and for other purposes

Introduced by Sen. Hutchison, Kay Bailey [R-TX] on 4/13/2000 Status: Failed Summary: Rewrites provisions of the Computer Fraud and Abuse Act of 1986 regarding fraud and related activity in connection with computers to: (1) broaden the scope of the Act (to repeal certain limitations on its scope and to include ""causing damage""); and (2) double the penalties for the commission of such fraud or related activity under various specified circumstances. Establishes the National Commission on Cybersecurity. Directs the Commission to study the incidents of computer crimes and the need for enhanced methods of combating computer crimes. Sets forth reporting requirements. Definitions: Redefines "damage" for purposes of the Act to include causing loss or interruption of service to the general public.

S.2430 - Internet Security Act of 2000

Introduced by Sen. Leahy, Patrick J. [D-VT] on 4/13/2000 Status: Failed Summary: Amends the Computer Fraud and Abuse Act of 1986 (the Act) to set forth penalties for unlawfully accessing to commit fraud, and damaging, a protected computer where that conduct: (1) causes a loss aggregating at least $5,000 in value during a one-year period to one or more individuals; (2) modifies or impairs the medical examination, diagnosis, treatment, or care of one or more individuals; (3) causes physical injury to any person; or (4) threatens public health or safety. Includes attempted offenses within the scope of the Act. Provides for the forfeiture to the United States of the offender's interest in any: (1) personal property used to commit or facilitate the offense; and (2) real or personal property that constitutes or is derived from proceeds traceable to a violation. Limits ""losses"" (currently, ""damages for violations involving damage"") to economic damages. Defines ""loss"" to include: (1) the reasonable costs to any victim of responding to the offense, conducting a damage assessment, and restoring the system and data; and (2) any lost revenue or costs incurred by the victim as a result of interruption of service. Specifies that property subject to forfeiture, any seizure and disposition of property, and any administrative or judicial proceeding in relation thereto shall be governed by the Comprehensive Drug Abuse Prevention and Control Act of 1970. (Sec. 3) Expresses the sense of Congress that: (1) acts that damage computers used in the delivery of critical infrastructure services pose a serious threat to public health and safety and have the potential to cause losses to victims; and (2) the Government should have jurisdiction to investigate acts affecting protected computers, even if the effects of such acts occur wholly outside the United States. (Sec. 4) Directs the United States Sentencing Commission to amend the federal sentencing guidelines to ensure that any individual convicted of a violation of the Act regarding the accessing of a protected computer under specified unlawful circumstances can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment. (Sec. 5) Directs the court, with respect to any person convicted of trafficking in counterfeit computer labels, program documentation, or packaging, to order the forfeiture and destruction or other disposition of anything used to copy or produce the computer program or other item to which the counterfeit label was affixed. (Sec. 7) Rewrites federal criminal code provisions regarding pen registers and trap and trace devices to authorize the court, with respect to requests from an attorney for the Government or a State law enforcement or investigative officer, to enter an order authorizing the installation and use of such a device if the court finds that the information likely to be obtained is relevant to an ongoing criminal investigation. Requires that the use of the device be conducted in such a way as to minimize the recording or decoding of any electronic or other impulses that are not related to the dialing and signaling information utilized in processing by the service provider upon whom the order is served. (Sec. 8) Revises the definition of ""pen register"" to: (1) mean a device or process that records or decodes electronic or other impulses that identify the telephone numbers or electronic addresses dialed or otherwise transmitted by an instrument or facility from which a wire or electronic communication is transmitted and used for purposes of identifying the destination or termination of such communication by the service provider upon which the order is served; and (2) exclude any device or process used by a provider or customer of a wire or electronic communication service for billing or recording as an incident to billing for communications services or for cost accounting or other like purposes in the ordinary course of its business. (Sec. 9) Requires that the Attorney General's annual report to Congress regarding pen register and trap and trace devices include information concerning: (1) the period of interceptions authorized by the order and the number and duration of any extensions of the order; (2) the offense specified in the order, application, or extension; (3) the number of investigations involved; (4) the number and nature of the facilities affected; and (5) the identity of the applying investigative or law enforcement agency making the application and the person authorizing the order. (Sec. 10) Rewrites code provisions regarding the interception and disclosure of wire, oral, or electronic communications to permit a person acting under color of law to intercept: (1) a wire, oral, or electronic communication if such person is a party to the communication or if one of the parties to the communication has given prior consent to such interception; and (2) a wire or electronic communication if the transmission is causing harmful interference to a lawfully operating computer system, if any person who is not a provider of service to the public and who is authorized to use the facility from which the wire or electronic communication is to be intercepted has given prior consent to the interception, and if the interception is conducted only to the extent necessary to identify the source of the harmful interference. (Sec. 11) Requires the Attorney General's annual reports to the Administrative Office of the United States Courts to include the number of orders in which encryption was encountered and whether such encryption prevented law enforcement from obtaining the plain text of communications intercepted. (Sec. 12) Directs the Assistant Attorney General for the Department of Justice's Office of Justice Programs to make a grant to each State to: (1) assist State and local law enforcement in enforcing State and local criminal laws relating to computer crime and in educating the public to prevent and identify computer crime; (2) assist in educating and training State and local law enforcement officers and prosecutors to conduct investigations and forensic analyses of evidence and prosecutions of computer crime; (3) assist State and local law enforcement officers and prosecutors in acquiring computer and other equipment to conduct investigations and forensic analysis of evidence of computer crimes; and (4) facilitate and promote the sharing of federal law enforcement expertise and information about the investigation, analysis, and prosecution of computer crimes with State and local law enforcement officers and prosecutors, including the use of multi-jurisdictional task forces. Sets forth provisions regarding use of grant amounts, required State assurances to be eligible to receive a grant, and matching funds. Authorizes appropriations. Authorizes the Attorney General to use amounts made available herein to make grants to Indian tribes.

S.1495 - Crime Prevention Act of 1995

Introduced by Sen. Kyl, Jon [R-AZ] on 12/21/1995 Status: Failed Summary: Amends the Computer Fraud and Abuse Act to penalize individuals who knowingly access a computer without authorization or exceeding authorized access and obtain: (1) certain restricted data or information (data) and, with reason to believe that such data could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicate, deliver, or transmit such data to any person not entitled to receive it or willfully retain and fail to deliver it to the U.S. officer or employee entitled to receive it; (2) information from any U.S. department or agency (department); or (3) information from any protected computer if the conduct involved an interstate or foreign communication. (Sec. 1303) Modifies such Act to penalize persons who intentionally, without authorization, access any computer of a U.S. department: (1) where such computer is exclusively for the use of the Government; or (2) where such conduct affects use by or for the Government. (Sec. 1304) Increases penalties for: (1) significant unauthorized use of a computer system; and (2) those who have previously violated such Act. (Sec. 1305) Modifies such Act to penalize individuals who, without authorization, intentionally or recklessly cause damage to a protected computer. (Sec. 1306) Makes unlawful the transmission in interstate or foreign commerce of threats directed against computers and computer networks with intent to extort any thing of value. (Sec. 1308) Revises such Act to limit damages to economic damages where the violation causes a loss of $1,000 or more during any one-year period (but sets no limit where damages are imposed for violations that modified or impaired, or potentially modified or impaired, the medical examination, diagnosis, or treatment of a person). (Sec. 1309) Repeals a requirement that the Attorney General and the Secretary of the Treasury report annually to the Congress concerning specified computer crime investigations and prosecutions. (Sec. 1310) Directs the Commission to review existing sentencing guideline levels for fraud and related activity in connection with computers and to amend such guidelines to ensure that individuals convicted of specified offenses under such Act are incarcerated for at least one year. (Sec. 1311) Provides for asset forfeiture for fraud and related activity in connection with computers.

Launch
Copy this timeline Login to copy this timeline 3d

Contact us

We'd love to hear from you. Please send questions or feedback to the below email addresses.

Before contacting us, you may wish to visit our FAQs page which has lots of useful info on Tiki-Toki.

We can be contacted by email at: hello@tiki-toki.com.

You can also follow us on twitter at twitter.com/tiki_toki.

If you are having any problems with Tiki-Toki, please contact us as at: help@tiki-toki.com

Close

Edit this timeline

Enter your name and the secret word given to you by the timeline's owner.

3-40 true Name must be at least three characters
3-40 true You need a secret word to edit this timeline

Checking details

Please check details and try again

Go
Close